From nobody Sun May 10 17:53:54 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CD57C433F5 for ; Wed, 27 Apr 2022 15:26:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239842AbiD0PaA (ORCPT ); Wed, 27 Apr 2022 11:30:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239573AbiD0P36 (ORCPT ); Wed, 27 Apr 2022 11:29:58 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BDA3036A67E for ; Wed, 27 Apr 2022 08:26:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651073205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=1dggXmtnParX3s6CWVf4SQVhg+VlIqzTsxVQxpElgZI=; b=aUNvG9AY53v8FJjD357xpKljxdGbatOPR2o5iSa7PcJWfgQi2L0XVcfBhySuZJt7jMY+ng dJirazro2EKiGmhkAKWD/z9ES0EkLgzlIizUoLeYbpbsexn3dsRITnP3OPMWkoQ5phbwVj FrnPOfO6WyzyRKMeWC7o2gIzvdjrYnw= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-468-nkRfXIeJN3utbjYLsU_mqA-1; Wed, 27 Apr 2022 11:26:41 -0400 X-MC-Unique: nkRfXIeJN3utbjYLsU_mqA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0617029DD991; Wed, 27 Apr 2022 15:26:41 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (file01.intranet.prod.int.rdu2.redhat.com [10.11.5.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EEF52401475; Wed, 27 Apr 2022 15:26:40 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (localhost [127.0.0.1]) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id 23RFQeCt021649; Wed, 27 Apr 2022 11:26:40 -0400 Received: from localhost (mpatocka@localhost) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4/Submit) with ESMTP id 23RFQehO021645; Wed, 27 Apr 2022 11:26:40 -0400 X-Authentication-Warning: file01.intranet.prod.int.rdu2.redhat.com: mpatocka owned process doing -bs Date: Wed, 27 Apr 2022 11:26:40 -0400 (EDT) From: Mikulas Patocka X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com To: Linus Torvalds cc: Andy Shevchenko , Mimi Zohar , device-mapper development , Linux Kernel Mailing List , Mike Snitzer , Milan Broz Subject: [PATCH v3] hex2bin: fix access beyond string end In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: TEXT/PLAIN; charset="utf-8" If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on error - so we can't just return the variable "hi" or "lo" on error. This inconsistency may be fixed in the next merge window, but for the purpose of fixing this bug, we just preserve the existing behavior and return -1 and -EINVAL. Signed-off-by: Mikulas Patocka Reviewed-by: Andy Shevchenko Fixes: b78049831ffe ("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org --- lib/hexdump.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: linux-2.6/lib/hexdump.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- linux-2.6.orig/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 +++ linux-2.6/lib/hexdump.c 2022-04-27 17:16:38.000000000 +0200 @@ -45,10 +45,13 @@ EXPORT_SYMBOL(hex_to_bin); int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - int hi =3D hex_to_bin(*src++); - int lo =3D hex_to_bin(*src++); + int hi, lo; =20 - if ((hi < 0) || (lo < 0)) + hi =3D hex_to_bin(*src++); + if (unlikely(hi < 0)) + return -EINVAL; + lo =3D hex_to_bin(*src++); + if (unlikely(lo < 0)) return -EINVAL; =20 *dst++ =3D (hi << 4) | lo;